Compare commits

..

4 Commits
rawhide ... f38

Author SHA1 Message Date
Peter Jones
f35ed4489f Fix fbx64/mmx64 signing.
Related: rhbz#2189197

Signed-off-by: Peter Jones <pjones@redhat.com>
2024-03-19 16:15:05 -04:00
Peter Jones
a0b1fc2aa1 rpmmacros: update for pesign -h behavior change...
pesign's hash function changed behavior to have its output fields sorted
the same order as sha256sum and similar do.  This patch takes that into
account.

Signed-off-by: Peter Jones <pjones@redhat.com>
2024-03-14 15:02:33 -04:00
Peter Jones
f12ed075c6 Update to shim-15.8
Resolves: CVE-2023-40546
Resolves: CVE-2023-40547
Resolves: CVE-2023-40548
Resolves: CVE-2023-40549
Resolves: CVE-2023-40550
Resolves: CVE-2023-40551
Resolves: rhbz#2113005
Resolves: rhbz#2189197
Resolves: rhbz#2238884
Resolves: rhbz#2259264

Signed-off-by: Peter Jones <pjones@redhat.com>
2024-03-12 16:52:12 -04:00
Miroslav Suchý
888339bc4c Migrate to SPDX license
This is part of https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
The license analysis is here http://miroslav.suchy.cz/fedora/spdx-reports/shim.html
2024-03-12 16:30:22 -04:00
3 changed files with 30 additions and 11 deletions

View File

@ -3,9 +3,11 @@
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
%global grub_version 2.06~rc1 %global grub_version 2.06-63
%global fwupd_version 1.5.8 %global fwupd_version 1.5.8
%define __pesign_client_cert grub2-signer
%global bootcsvaa64 %{expand:%{SOURCE10}} %global bootcsvaa64 %{expand:%{SOURCE10}}
%global bootcsvarm %{expand:%{SOURCE13}} %global bootcsvarm %{expand:%{SOURCE13}}
%global bootcsvia32 %{expand:%{SOURCE11}} %global bootcsvia32 %{expand:%{SOURCE11}}
@ -16,10 +18,10 @@
%global shimefiia32 %{expand:%{SOURCE21}} %global shimefiia32 %{expand:%{SOURCE21}}
%global shimefix64 %{expand:%{SOURCE22}} %global shimefix64 %{expand:%{SOURCE22}}
%global shimveraa64 15.6-2 %global shimveraa64 15.8-2
%global shimverarm 15.4-1.fc34 %global shimverarm 15.4-1.fc34
%global shimveria32 15.6-1 %global shimveria32 15.8-2
%global shimverx64 15.6-1 %global shimverx64 15.8-2
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
%global shimdirarm %{_datadir}/shim/%{shimverarm}/arm %global shimdirarm %{_datadir}/shim/%{shimverarm}/arm
@ -75,8 +77,8 @@ version signed by the UEFI signing service. \
# -i <input> # -i <input>
%define hash(a:i:d:) \ %define hash(a:i:d:) \
pesign -i %{-i*} -h -P > shim.hash \ pesign -i %{-i*} -h -P > shim.hash \
read file0 hash0 < shim.hash \ read hash0 file0 < shim.hash \
read file1 hash1 < %{-d*}/shim%{-a*}.hash \ read hash1 file1 < %{-d*}/shim%{-a*}.hash \
if ! [ "$hash0" = "$hash1" ]; then \ if ! [ "$hash0" = "$hash1" ]; then \
echo Invalid signature\! > /dev/stderr \ echo Invalid signature\! > /dev/stderr \
echo $hash0 vs $hash1 \ echo $hash0 vs $hash1 \

View File

@ -4,8 +4,8 @@
%global dist %{expand:%%{_dist}} %global dist %{expand:%%{_dist}}
Name: shim Name: shim
Version: 15.6 Version: 15.8
Release: 2%{?dist} Release: 3%{?dist}
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/rhboot/shim/ URL: https://github.com/rhboot/shim/
@ -107,6 +107,23 @@ install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
%endif %endif
%changelog %changelog
* Tue Mar 19 2024 Peter Jones <pjones@redhat.com> - 15.8-3
- Fix fbx64/mmx64 signing.
Related: rhbz#2189197
* Tue Mar 12 2024 Peter Jones <pjones@redhat.com> - 15.8-2
- Update to shim-15.8
Resolves: CVE-2023-40546
Resolves: CVE-2023-40547
Resolves: CVE-2023-40548
Resolves: CVE-2023-40549
Resolves: CVE-2023-40550
Resolves: CVE-2023-40551
Resolves: rhbz#2113005
Resolves: rhbz#2189197
Resolves: rhbz#2238884
Resolves: rhbz#2259264
* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2 * Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
- Update aarch64 (only) with relocation fixes - Update aarch64 (only) with relocation fixes
- Resolves: #2101248 - Resolves: #2101248

View File

@ -1,3 +1,3 @@
SHA512 (shimx64.efi) = 06488f3f5daf09b3e37e160721e9bf4c68a3ea17dcd19fad7dd1d7edbcf4c218a5b6264e7780bef46e400213459c1a8c9a0c4c1c48f7fe5d7b55b868dbdc3823 SHA512 (shimaa64.efi) = 8891ba415802b97828b7939b81c0235610f3648fd257df8e4b754e1fa4899da9e202fd1be95bbcb095816525b601a6ecfa3ec94be08de5f5fa1911cffc683d13
SHA512 (shimia32.efi) = 8241bed8c3e2789741da15e265efb6a1d35d02c4ffbfd21428910c9e366575137a3d9d0c73aa10e62d59d81a98496668a05c5ac7f18a677ccb54e884db48f507 SHA512 (shimia32.efi) = 6d4396f289400516b883733f0fd3621e7ec4d70afd02e988651f37db81298775da69c04b998d87a4760b2fa4b96130c70eb0875fad1cf290c52ea606ae40d12e
SHA512 (shimaa64.efi) = b2b77ebbdeda9f9110dd9a6ef4ad15ae57b53ce01ef5c912163159226dc39d5ed35e0dbcfa46dc8ab9f714b63aaea52cd42746aa54155313b43dd27dd57a62f5 SHA512 (shimx64.efi) = cc23d8c3cb2dcf749075268b77eb796fb430182cbbc04171ded14d43e32b4a5cdeeb1a08666ee0e288bd37d63f657a9af5e7f2012dd70694d11212d705c60b42